Reorganize nftables and relax stateful firewall
This commit is contained in:
parent
3e3c7afbd7
commit
55707c2e84
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
. ../APKBUILD-config.template
|
. ../APKBUILD-config.template
|
||||||
|
|
||||||
pkgver=2022.04.03.05
|
pkgver=2022.05.28.02
|
||||||
pkgrel=0
|
pkgrel=0
|
||||||
options="!check" # check requires root?
|
options="!check" # check requires root?
|
||||||
|
|
||||||
|
|
|
@ -1,2 +1 @@
|
||||||
tcp dport 143 counter accept;
|
tcp dport { 143, 993 } counter accept;
|
||||||
tcp dport 993 counter accept;
|
|
||||||
|
|
|
@ -1,3 +1 @@
|
||||||
tcp dport 80 counter accept;
|
tcp dport { 80, 443, 2442 } counter accept;
|
||||||
tcp dport 443 counter accept;
|
|
||||||
tcp dport 2442 counter accept; # Gitea SSH
|
|
||||||
|
|
|
@ -1,3 +1 @@
|
||||||
tcp dport 25 counter accept;
|
tcp dport { 25, 465, 587 } counter accept;
|
||||||
tcp dport 465 counter accept;
|
|
||||||
tcp dport 587 counter accept;
|
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
ct state invalid counter drop;
|
|
||||||
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
|
||||||
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
|
|
@ -1 +0,0 @@
|
||||||
ct state related,established counter accept;
|
|
|
@ -1,9 +1,6 @@
|
||||||
#iifname "eth0" ct state new meter limit4 { ip saddr ct count over 10 } counter reject;
|
|
||||||
#iifname "eth0" ct state new meter limit6 { ip6 saddr ct count over 10 } counter reject;
|
|
||||||
|
|
||||||
# Ban if connection attempts are still made over the limit
|
# Ban if connection attempts are still made over the limit
|
||||||
iifname "eth0" ct state new meter ban4 { ip saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole4 { ip saddr timeout 10m } counter reject;
|
ct state new meter ban4 { ip saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole4 { ip saddr timeout 1h } counter;
|
||||||
iifname "eth0" ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 20/minute burst 40 packets } update @blackhole6 { ip6 saddr timeout 10m } counter reject;
|
ct state new meter ban6 { ip6 saddr timeout 1h limit rate over 1/second burst 10 packets } update @blackhole6 { ip6 saddr timeout 1h } counter;
|
||||||
|
|
||||||
iifname "eth0" ct state new meter drop4 { ip saddr timeout 5m limit rate over 20/minute } counter reject;
|
ct state new meter drop4 { ip saddr timeout 5m limit rate over 1/second } counter reject;
|
||||||
iifname "eth0" ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 20/minute } counter reject;
|
ct state new meter drop6 { ip6 saddr timeout 5m limit rate over 1/second } counter reject;
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
iifname "lo" counter accept; # Loopback
|
|
||||||
iifname "eth1" counter accept; # Private network
|
|
||||||
icmp type { echo-request } counter accept;
|
|
||||||
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
|
|
@ -12,12 +12,23 @@ table inet redxenfirewall {
|
||||||
|
|
||||||
chain rxfi {
|
chain rxfi {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
policy drop;
|
policy accept;
|
||||||
include "inet/redxenfirewall/filter/input/blocked/*";
|
|
||||||
include "inet/redxenfirewall/filter/input/trusted/*";
|
ct state invalid counter drop;
|
||||||
|
ip saddr @blackhole4 update @blackhole4 { ip saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||||
|
ip6 saddr @blackhole6 update @blackhole6 { ip6 saddr timeout 1h } counter reject with icmpx type admin-prohibited;
|
||||||
|
|
||||||
|
icmp type { echo-request } counter accept;
|
||||||
|
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } counter accept;
|
||||||
|
ct state related,established counter accept;
|
||||||
|
|
||||||
|
iifname "eth0" jump rxfi-extern;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain rxfi-extern {
|
||||||
include "inet/redxenfirewall/filter/input/stateful/*";
|
include "inet/redxenfirewall/filter/input/stateful/*";
|
||||||
include "inet/redxenfirewall/filter/input/allowed/*";
|
include "inet/redxenfirewall/filter/input/allowed/*";
|
||||||
include "inet/redxenfirewall/filter/input/established/*";
|
|
||||||
counter reject with icmpx type admin-prohibited;
|
counter reject with icmpx type admin-prohibited;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue